There is no task more difficult for a CISO than stepping into that role at a large organization that has never had a CISO and has recently experienced a devastating breach that is at least partly responsible for the departure of senior IT management and the CEO.
securitycurrent polled its contributors to compile advice for Brad Maiorino, newly appointed as the first CISO at Target. They offered the following:
“The security concerns at a retailer are dramatically different than at a manufacturer such as General Motors or General Electric. Every organization has a base level of security requirements that includes endpoint hygiene, user access control, and compliance. What sets retail apart from a manufacturer is the different community of threat actors. So my advice is change your mindset from defending against industrial espionage, a long term threat, to defending against cyber criminals who have only one goal: infiltrate your transaction process at any level to steal customer data.” Analyst Richard Stiennon
“No matter how large the security budget and how many people report to you, remember it’s about providing leadership and enabling everyone in the company to be diligent about security. The Target breach showed that they had spent millions on the best security tools and technology and have hundreds of security staff. They even detected the breach in their monitoring alerts, but the focus and attention to details was easily overlooked. You want to make security everyone’s business.” David Hahn, Hearst Corp CISO
“I suspect Target’s new CISO has already thought of this and a whole lot more. But, for what it’s worth, I offer the following: focus on inventorying existing capabilities as a separate constructive step from a detailed gap analysis (you can’t do the latter without the former anyway). Address glaring deficiencies as soon as possible if you find any of course, but in starting out to build the new security program, look for existing controls that are effective and create the foundation from the good work being done around you. There’s been a lot written about how the Target breach demonstrates that being PCI compliant is not enough. But once you’re working from the inside, PCI compliance means that there are controls in place. So, find where there are people and processes that are working well already and leverage and support them.” David Sheidlower, BBDO CISO
“I’m going to assume that you have the knowledge and experience that meets the description of the job, and the skills that Target was looking for in their CISO role. That leads me to also believe you already have a plan in mind of what you want to do when you start. With this in mind, I’d like to offer my suggestion that you do two things in the first 60 days in your role that are strategic in nature. First, quickly evaluate what has already been done at Target in the timeframe since the security breach and make strong and appropriate decisions as to what has been done that is sufficient, what is insufficient at this time, and what your plan will be to close the gaps. This will provide immediate value to you and your role, and establish you as the security leader that you need to be. Secondly, quickly establish key relationships within Target that will provide you immediate and long-term support and feedback. I would meet with the company’s legal counsel, internal audit, human resources, ethics and compliance and the controller. Share with them what you are thinking, ask them for their pain points, and do everything that you can to meet their needs. Tell them that you expect them to hold you accountable for what you’ve discussed, and that they can provide you frank feedback regarding your plans for Target. This will create an immediate “personnel board of directors” to gauge your progress and plans, and set the stage for an excellent security executive group in the long term.” David Sherry, Brown University CISO
“Though organizations have very different concerns based on their industry, there are some basic things that need to be done upon entering as the first CISO or one trying to come in after a breach has happened. The first thing is to establish a priority list. The fortunate side of having had a breach happen is that you have a clear issue that is your top priority, however, filling out the list is just as important. That being the case, a comprehensive risk assessment is needed immediately. Similarly, as a first CISO of an organization, you need to have a risk assessment performed to help set your priorities. Additionally, in both scenarios, you need to understand your ability to respond to an event. Therefore, quickly measuring your Incident Response processes and their integration with the rest of your organization is important. You are only as good as your ability to respond to an incident. That is because there will always be risk that needs mitigating or acceptance. Upon the unfortunate exploitation of that risk, you must be able to respond quickly and appropriately.” Larry Whiteside Jr., LCRA CISO
“Warren Buffett stated, “In the business world, the rearview mirror is always clearer than the windshield.” This applies to security as well. It’s easy to be on the outside looking in and playing Monday morning quarterback with any security failure. But it takes a leader of Maiorino’s caliber to step-up and restore customer confidence. While easier said than done, ignore those trying to tear you down and focus on what made you successful to begin with. Focus on building a strong organizational security culture where security is not simply a nice-to-have, but a value-addition to every business unit and is entrenched in the entire process and throughout the supply chain. Removing technical silos and aligning with the business will likely be on the short list to create quick wins and lead the security program forward.” Mike Saurbaugh, Corning Federal Credit Union Information Security Manager
“Looking at the list of compliance requirements, it may appear that your security needs are covered. In my experience, compliance does not equal security. It is very easy to spend your entire security budget to make sure that every check box on that audit sheet is filled, but this doesn’t mean that the jewels of the kingdom are safe and secure. Coming into a new organization, the first thing that I would do would be to check to see if the programs in place were there just to satisfy a checklist. One of the most useful programs that we have developed looks at the netflow data of all traffic leaving the University. By analyzing this for malicious behaviors, we are able to pinpoint compromised systems. This is not something that appears on any of the compliance checklists, but it does allow us to remove compromised machines from our network.” Joel Rosenblatt, Columbia University head of networks and computer security
“First off, make sure you have clear buy in from the CEO and the Board of Directors. Second, make sure you have authority to do what you need to do. Third, check to see if your budget is adequate to the task. Fourth, kill your orphans. As John Kennedy once said, “there must be a better reason to do things one way than the fact that they have always been done that way.” Reexamine your relationships with vendors, suppliers, and specific technologies. No incumbent is safe, none is sacrosanct. Fifth, don’t let the perfect be the enemy of the good. Do something rather than nothing. Sixth, find your family jewels, and they may not be what you think they are. What gives Target value, or alternatively what if taken, destroyed or disrupted would harm the company most? Seventh. Know that you will fail. And fail miserably. Plan accordingly. Often it’s not about preventing attacks but surviving them.” Mark Rasch, lawyer and former head of the United States Department of Justice Computer Crime Unit